CKA: Certified Kubernetes Administrator

Kubernetes control plane components: kube-apiserver (central REST API, the only component that writes to etcd), etcd (distributed key-value store for all cluster state), kube-scheduler (assigns pods to nodes based on resource requests, taints, and affinity rules), kube-controller-manager (runs controllers: Node, ReplicaSet, Endpoints, ServiceAccount, etc.), cloud-controller-manager (cloud-provider-specific logic). Node components: kubelet (registers node, manages pod lifecycle, talks to container runtime via CRI), kube-proxy (manages iptables/IPVS rules for Service IP routing), container runtime (containerd or CRI-O — Docker is no longer supported as a runtime). kubeadm: init (bootstraps the control plane), join (adds nodes), upgrade plan/apply (cluster version upgrade). Know the upgrade sequence: control plane first, then workers. etcd backup: etcdctl snapshot save with ETCDCTL_API=3, correct --endpoints, --cacert, --cert, --key flags.

Pod spec essentials: containers (name, image, command, args, env, resources, volumeMounts), volumes (emptyDir, hostPath, configMap, secret, persistentVolumeClaim), restartPolicy (Always/OnFailure/Never), nodeSelector, tolerations, affinity. Deployment strategy: RollingUpdate (maxSurge, maxUnavailable) versus Recreate. StatefulSet: guarantees stable network identity (pod-name-0, pod-name-1) and ordered deployment/deletion. Required: headless Service (clusterIP: None). DaemonSet: one pod per node (or subset via nodeSelector). Job/CronJob: completions, parallelism, backoffLimit, schedule syntax. Resource requests versus limits: requests are used for scheduling (guaranteed CPU/memory); limits are enforced by cgroups. QoS classes: Guaranteed (requests == limits), Burstable (limits > requests), BestEffort (no requests or limits).

Service types: ClusterIP (internal only), NodePort (exposes on each node's IP:30000-32767), LoadBalancer (provisions cloud LB), ExternalName (CNAME to external service). Endpoint objects: automatically created and updated as pods match the selector. DNS: CoreDNS resolves service-name.namespace.svc.cluster.local and pod-ip.namespace.pod.cluster.local. Network Policies: ingress/egress rules with podSelector, namespaceSelector, ipBlock. A pod with no NetworkPolicy is open to all traffic; a NetworkPolicy applies as a whitelist per pod. Ingress: routes HTTP/HTTPS traffic to Services based on host/path rules. Requires an Ingress Controller (nginx, Traefik, AWS ALB). TLS termination via spec.tls with a Secret containing tls.crt and tls.key.

PersistentVolume (PV): cluster-scoped storage resource. PersistentVolumeClaim (PVC): namespace-scoped request that binds to a PV. StorageClass: enables dynamic provisioning — provisioner creates PV automatically when PVC is created. Access modes: ReadWriteOnce (single node), ReadOnlyMany, ReadWriteMany. RBAC: Role/ClusterRole (what), RoleBinding/ClusterRoleBinding (who gets what). ServiceAccount: identity for pods. Common exam task: create a ServiceAccount, bind a Role, verify with kubectl auth can-i. Secrets: Opaque (base64-encoded, not encrypted at rest by default), TLS, docker-registry. Troubleshooting workflow: kubectl describe (events section), kubectl logs (--previous for crashed containers), kubectl exec for shell access, kubectl get events --sort-by=.metadata.creationTimestamp. Node issues: check kubelet status (systemctl status kubelet), journalctl -u kubelet.